After burglaries, mystery car unlocking device has police stumped

It's February, about an hour after midnight, and three men in oversized clothing and hats walk silently down a deserted residential street in Long Beach, California. Each one goes up to a car in the area, takes out a small electronic device, and pulls on the passenger side car handle. The first man tries a car in the street. It doesn't open, and he walks on. The other two men try an Acura SUV and an Acura sedan in one home's driveway. Both of the cars unlock, their overhead lamps going on. The two men rummage through the cars, taking what they find. They shut the car doors and walk off.

Video of this scene was recorded by a surveillance camera placed in the driveway where the two Acuras were parked. The Long Beach Police (LBPD) department says that eight vehicles in total were “accessed and burglarized” in the same neighborhood that night. But despite having footage of the crime, the LBPD was not able to determine how the electronic devices worked or who the suspects were.

Auto burglary technology grants keyless access.

In April, the Long Beach Police posted the surveillance video on YouTube, desperate to figure out just how the electronic device used by the three suspects works. Ars spoke to a Long Beach Police spokeswoman who confirmed that after another two months, the department still hasn't come to a conclusive answer.

The Today Show's Jeff Rossen also interviewed an Illinois man who has similar footage of a thief breaking into his Honda Accord using an electronic device, also from the passenger side of the vehicle.

"We are stumped and we don't know what this technology is,” Long Beach Deputy Police Chief David Hendricks told The Today Show on Thursday. The department said it has contacted auto makers and car alarm manufacturers to no avail.

While keyless entry systems have been available for cars in rudimentary forms since the late '80s, modern transmitter codes are generally encrypted, and most transmitters rely on a “rolling code” that changes in a planned sequence to prevent would-be thieves from standing near the car as the owner opens it and listening in on the UHF signal that the transmitter sends to the car. The Registernoted that last year saw a spike in BMW break-ins due to the sale of a $30 on-board diagnostics bypass tool that allows hackers to reprogram blank keys for use on specific cars, but the US attacks appear to be different.

One interesting theory, however, was put forth on the LBPD's YouTube channel two months ago. “One has to wonder if they were using signal repeaters to join the car to the key—which was presumably inside the house some distance away,” one commenter wrote. “Usually both the key fob and the car must be close together but with a repeater to boost the strength in both directions, the distance could be extended significantly. This type of hack was described more than two years ago by a Professor from ETH Zurich(? Iirc).”

Ars believes the commenter is referring to an academic paper explaining how to increase the signal strength of a car's passive keyless entry system.

The Long Beach police media relations team responded by saying that it would forward the idea to the detective on the case, but it seems a resolution is still outstanding. A signal repeater would explain why the device might not work on cars in the street (which could be too far away for a signal boost) but might work on cars parked closer to the house. It does not explain the consistent passenger-side entry, however.

270 Reader Comments

I doubt this is a fob duplication or faking system - it doesn't make any sense from the evidence.Facts to consider:-It only works on certain vehicles.--But works on different manufacturers' vehicles-It only works on the passenger side door.-It only works point blank at the door when attempting to open it.

This would suggest to me some sort of design failure in the keyless entry system that manifests itself at the passenger side door. Why not look through the engineering specs for those particular vehicles?

The repeater theory doesn't hold water due to the fact the Rossen video showed two people breaking into cars in a parking garage.

Passenger side entry is likely just because it is easier to get in / out of the car in case they are discovered, and gives them faster access to the glove box without reaching.

What I am curious about is if this is a 'open the door from the passive fob' where you can just walk up to a car and it opens (cannot think of the term)? If that is the case, can't that usually start the car too? I am surprised they did not try that.

Side note: A technical mystery thriller on Ars. An unsolved crime and some pretty smart people about to start all sorts of theories as to how this was perpetrated. Unusual for the site, but I like it as is changes things up a bit. This will be fun. Thanks!

Passenger side entry is likely just because it is easier to get in / out of the car in case they are discovered, and gives them faster access to the glove box without reaching.

What I am curious about is if this is a 'open the door from the passive fob' where you can just walk up to a car and it opens (cannot think of the term)? If that is the case, can't that usually start the car too? I am surprised they did not try that.

That would only work on the subset of cars that not only have remote start, but which also don't require a key to be inserted into the ignition before being driven.

passenger door entry will often unlock all doors where driver's side entry will only unlock the driver's side door. this is at least the case in both of my keyless vehicles.

if i were one of these guys, i'd rather unlock all doors at once if the vehicle requires the key for the interior unlock to work, or for locked door openings to not sound an alarm, i'd say this is just battery conservation on the repeaters

The signal repeater theory is interesting but there are a lot of cars that don't have those.

What I was thinking might be happening is that the cars that were vulnerable have something wireless that is connected to the car's data bus. If you can get in through that wireless connection then once you get on the database, just about everything is fair game. Those things weren't really designed with security in mind.

People have already started playing around with the idea of what you could do if you got inside a car's bus. Christian Scientist Monitor wrote an article about hacking in through wireless tire pressure sensors, and Jalopnik wrote about what you could do if you had access to ODBII.

When i read about this on slashdot one of the first comments were they got in so easily because the cars weren't locked and the owners didn't want to fess up to it, because they would not get their insurance claim. After seeing this footage i'm leaning that way as well. Even though the video is in a lower res but still rather clear I couldn't help but notice neither car's lights flashed prior to the 2 criminals opening the passenger door. I've never seen a stock car alarm not flash the lights indicating the alarm has either been enabled or disabled. Then they got on the passenger side because they didn't want to risk bumping the horn and for easier access to the glove box.

When i read about this on slashdot one of the first comments were they got in so easily because the cars weren't locked and the owners didn't want to fess up to it, because they would not get their insurance claim. After seeing this footage i'm leaning that way as well. Even though the video is in a lower res but still rather clear I couldn't help but notice neither car's lights flashed prior to the 2 criminals opening the passenger door. I've never seen a stock car alarm not flash the lights indicating the alarm has either been enabled or disabled. Then they got on the passenger side because they didn't want to risk bumping the horn and for easier access to the glove box.

the light clearly comes on before he pulls the door handle. in both cases

I wouldn't rule out some sort of NFC technology (the range might not be far enough). With my Toyota's fob, I can walk right up to the driver's or passenger's door and unlock the car without pressing a button. I wonder if there if there is some sort of "service override" for these types of locks and these guys are using an NFC-equipped smartphone with a hack.

Bluetooth would have the range (the need for pairing wouldn't make sense), though, and some cars have smartphone apps for remote start and door unlocking. There could be a hack they're using for cars with this option.

I wouldn't rule out some sort of NFC technology (the range might not be far enough). With my Toyota's fob, I can walk right up to the driver's or passenger's door and unlock the car without pressing a button. I wonder if there if there is some sort of "service override" for these types of locks and these guys are using an NFC-equipped smartphone with a hack.

That sounds like the repeater argument and it still doesn't make sense.

When i read about this on slashdot one of the first comments were they got in so easily because the cars weren't locked and the owners didn't want to fess up to it, because they would not get their insurance claim. After seeing this footage i'm leaning that way as well. Even though the video is in a lower res but still rather clear I couldn't help but notice neither car's lights flashed prior to the 2 criminals opening the passenger door. I've never seen a stock car alarm not flash the lights indicating the alarm has either been enabled or disabled. Then they got on the passenger side because they didn't want to risk bumping the horn and for easier access to the glove box.

My Toyota's lights come on when I walk up to the car. The lights don't flash, either, when I pull the door handle to open the door - the door automatically unlocks when I pull the handle.

-It only works on certain vehicles.--But works on different manufacturers' vehicles

It should be noted that the cars indicated in the article were Hondas and Acuras, which are made by Honda. It could be a vulnerability in the Honda locks (or the article fails to mention other manufacturers).

When i read about this on slashdot one of the first comments were they got in so easily because the cars weren't locked and the owners didn't want to fess up to it, because they would not get their insurance claim. After seeing this footage i'm leaning that way as well. Even though the video is in a lower res but still rather clear I couldn't help but notice neither car's lights flashed prior to the 2 criminals opening the passenger door. I've never seen a stock car alarm not flash the lights indicating the alarm has either been enabled or disabled. Then they got on the passenger side because they didn't want to risk bumping the horn and for easier access to the glove box.

the light clearly comes on before he pulls the door handle. in both cases

Interior lights come on when they open the door but the headlights and turn signals not so much.

I wouldn't rule out some sort of NFC technology (the range might not be far enough). With my Toyota's fob, I can walk right up to the driver's or passenger's door and unlock the car without pressing a button. I wonder if there if there is some sort of "service override" for these types of locks and these guys are using an NFC-equipped smartphone with a hack.

That sounds like the repeater argument and it still doesn't make sense.

I don't think so. It would explain much of your OP. My fob, unless I press a button, doesn't send a radio signal. It's all proximity. When I walk by the car in close enough range, the lights come on, and I can unlock the door by just pulling the handle. All without touching the fob; it's just in my pocket.

EDIT: It may also explain why they don't take the cars (or maybe not). When the battery dies on my fob, I just have to hold it against the ignition button (push-to-start) for the car to start. Maybe the hack gives them access to the doors, but not the ignition.

It would be useful to know the difference between the unlocking mechanisms of the three cars mentioned in the narrative. Since it didn't work on one of them, that will give some clues as to why it didn't work.

My question is, how much entropy do the unlock codes, encrypted or not, have in the Acuras?

When i read about this on slashdot one of the first comments were they got in so easily because the cars weren't locked and the owners didn't want to fess up to it, because they would not get their insurance claim. After seeing this footage i'm leaning that way as well. Even though the video is in a lower res but still rather clear I couldn't help but notice neither car's lights flashed prior to the 2 criminals opening the passenger door. I've never seen a stock car alarm not flash the lights indicating the alarm has either been enabled or disabled. Then they got on the passenger side because they didn't want to risk bumping the horn and for easier access to the glove box.

the light clearly comes on before he pulls the door handle. in both cases

Interior lights come on when they open the door but the headlights and turn signals not so much.

headlights and turn signals don't come on for me either. you're missing the point. the interior lights are coming on before they open the doors.

" It does not explain the consistent passenger-side entry, however." it is closer to the glove box. If you are not stealing the car it makes no sense to use the driver side door to get at the glove box, or the center console.

With my keyless entry, I hit the button once to unlock just the drivers door, twice to unlock all doors. Maybe it has something to do with that (the unlocking of just the passengers side doors).

It seems likely to me that The Mystery Device would broadcast codes in bursts, repeating each code some number of times (three to five times, something like that), with some fixed delay between broadcasts. That would probably be my approach, anyway, depending on the design of the target system(s). I would think that would increase the likelihood of success overall, by overcoming temporary interference or marginal range issues. Without such issues, it might also have the effect of a 'double click', so to speak, with each broadcast code being successfully received, thereby having the 'all doors' result. With that option, the passenger side door is then preferable, for reasons that others have cited. (Glove box, no steering wheel obstacle or horn tootin' risk, etc.)

When i read about this on slashdot one of the first comments were they got in so easily because the cars weren't locked and the owners didn't want to fess up to it, because they would not get their insurance claim. After seeing this footage i'm leaning that way as well. Even though the video is in a lower res but still rather clear I couldn't help but notice neither car's lights flashed prior to the 2 criminals opening the passenger door. I've never seen a stock car alarm not flash the lights indicating the alarm has either been enabled or disabled. Then they got on the passenger side because they didn't want to risk bumping the horn and for easier access to the glove box.

the light clearly comes on before he pulls the door handle. in both cases

Interior lights come on when they open the door but the headlights and turn signals not so much.

headlights and turn signals don't come on for me either. you're missing the point. the interior lights are coming on before they open the doors.

Mine come on before I open my door...as the mechanism disengages allowing the door to open. Criminals overall may be stupid but a lot of them are very good at their craft. With cars you don't want to be banging around you need to be careful because you never know if another car nearby has a super sensitive alarm.

Passenger side entry is likely just because it is easier to get in / out of the car in case they are discovered, and gives them faster access to the glove box without reaching.

What I am curious about is if this is a 'open the door from the passive fob' where you can just walk up to a car and it opens (cannot think of the term)? If that is the case, can't that usually start the car too? I am surprised they did not try that.

On my '06 'Vette the FOB had to be inside the passenger cabin of the car for the push-to-start button to work. How did it know it was in the cabin? I have no idea. However, I tested it and putting it no more than 6" outside the window would prevent the button from starting the engine. I the thieves are in fact using a repeater there's certainly no way to fake that the FOB is inside the car.

Maybe the thieves are (or know) valets and they figured out how to steal key signals that way. Then it is just a matter of figuring out where people live, and that might be on the insurance cards in the glove box. Hard to tell without more facts about the other vehicles that were hit.

I wouldn't rule out some sort of NFC technology (the range might not be far enough). With my Toyota's fob, I can walk right up to the driver's or passenger's door and unlock the car without pressing a button. I wonder if there if there is some sort of "service override" for these types of locks and these guys are using an NFC-equipped smartphone with a hack.

That sounds like the repeater argument and it still doesn't make sense.

I don't think so. It would explain much of your OP. My fob, unless I press a button, doesn't send a radio signal. It's all proximity. When I walk by the car in close enough range, the lights come on, and I can unlock the door by just pulling the handle. All without touching the fob; it's just in my pocket.

Mine is the same way, I would think some sort of RFID device. Surely it's not sending a signal all the time. It also has a very short range, so my car has a receiver under the both front seats and at the back. It will only unlock the front door I touch (by default). If I open the hatch, it will relock the vehicle when I close it and beep the horn.

Notice how when the guy gets into car #1, car #2's lights don't come on. Notice also how after guy closes the passenger door on car #2, the other guy tries the driver side door and can't get in, while the light is still on.

That makes it look to me like a proximity detector hack, as others have noted.

The passenger side is where the glove box is located. Unless you are trying to steal the car, the passenger side would be the quickest access to anything valuable. Thieves are opportunists. Why crawl over the drivers seat with the steering wheel in your ribs, just to search a center console or glove box?

I remember listening to a TED talk about how car computers/wireless communications systems are not exactly the most secure ones out there. A group of researchers bought two cars and broke into the cars wirelessly, unlocked the doors, and started the engine. They could also mess with the brakes and install malware.